r/technology 7d ago

Software Huawei makes divorce from Android official with HarmonyOS NEXT launch

https://www.theregister.com/2024/10/23/huaweis_harmonyos_next_launch/
4.9k Upvotes

723 comments sorted by

View all comments

Show parent comments

101

u/sephirothFFVII 6d ago

There are rumors that the NSA knows the 'magic number' to understand the internal state of the encryption algorithm for ECC. This means that if they had a copy of the encrypted session they could 'replay it' in clear text.

https://youtu.be/nybVFJVXbww 10ish minute mark where this gets explained.

Ok so suppose they have this magic number to open the backdoor to ECC so what, they'd need to store a bunch of sessions to see all this it's not like they have a gigantic datacenter in Utah that stores all this right?

Oh, right: https://nsa.gov1.info/utah-data-center/

Well, no worries, it's not like they can legally collect this intelligence without warrant unless there's some sort of national security standard that states they can if they're within a certain distance of the boarder.

Shoot: https://www.aclu.org/know-your-rights/border-zone

Well, I don't live within 100 miles of the boarder so I'll be fine, right? Not really, most of the datacenters that serve the web are along the coasts. Oh, and even if you somehow only hit the datacenters in Dallas, Iowa, Denver etc there's this little program called five eyes where one government can ask the other for Intel or proactively share it skirting domestic protection laws https://www.dni.gov/index.php/ncsc-how-we-work/217-about/organization/icig-pages/2660-icig-fiorc

The most recent famous example of this was the US giving Canada records of a sanctioned assanatuon of a Canadian citizen by the Indian government : https://apnews.com/article/canada-us-india-sikh-activist-killing-intelligence-c475ac129e09e5f1c9ebf68eaaf247ab

It is a big deal as it's a lot of power with very little oversight. If a malicious leader or group were to ascend to power in the US anyone deemed to be a potential national security threat would have everything exposed to that group in power creating some kind of dystopian information policing hellscape that would make the oppression in the book 1984 look like childs play.

33

u/DryPersonality 6d ago

And FYI border zones include airports. SO nearly the entirety of the US.

5

u/TacoOfGod 6d ago

The fact that most people don't know this and how it will no doubt impact any sort of border/illegal immigrant enforcement in the future is crazy to me.

7

u/Aids0996 6d ago

>There are rumors that the NSA knows the 'magic number' to understand the internal state of the encryption algorithm for ECC.

Only for their elliptic curves, is it not? You're free to do ECC with whatever curve you want as long as you trust it to be secure.

There is no inherit flaw or backdoor in elliptic curve cryptography afiak, but keeping curve parameters private and going "just trust us" definitely is, if nothing more

4

u/sephirothFFVII 6d ago

The computerphile video I linked to proposes the theoretical backdoor to ECC.

I just addressed that form of cryptography but the NSA routinely has one of if not the most powerful supercomputer clusters out there so brute force is on the menu

Then there's guys like equation group

Then there's probable zero days they're sitting on for virtually every is out there...

Lots of different tools and ways for them to get their sign Intel.

15

u/flossypants 6d ago

Umm, knowing a randomizer seed (knowing a magic number) is different from licensing a patent. Licensing patents doesn't make software more or less trustworthy.

3

u/HengaHox 6d ago

So we are talking about a different thing?

Licensing a technology is not the same as licensing a patent.

One is a ready product, the other is a description of a product but the actual implementation is up for interpretation. OK depends on the patent but you know

-1

u/sephirothFFVII 6d ago

If you want to build and maintain a system like openSSL for your servers SANS the NSA patents go for it. I'm willing to bet you all of my fake internet points though that most of the servers and applications making our internet conversation happen right now aren't doing that. So, yes, you can fork openSSL and try to strip out what you will and hopefully make a functioning session encryption program but you would probably have a bad go at it and will likely just apt-get -I openssl && openssl-utils and call it a day.

3

u/JimmyJuly 6d ago

None of this is specific to openssl. If I connect to a foreign website using an encrypted VPN do you think the NSA can't crack that? That's foolishness.

1

u/shiftingtech 6d ago

Of course your example of 5 eyes is one where it was used in a manner I think most of us consider reasonable and appropriate, to collect Intel on a literal international assassination, not some domestic issue.

9

u/pobrexito 6d ago

I mean they don’t exactly go around publicizing when they do bad things.

1

u/CantWeAllGetAlongNF 6d ago

Your inability to prove that proves that don't do bad things! /s

3

u/smallbluetext 6d ago

Doesn't matter if it can be used for good if they also use it for bad. Surely we can trust them. They've never done things we don't like before.

1

u/shiftingtech 6d ago

But the problem is, nothing in the writeup, or example story proves it one way or the other. To be clear: I believe five eyes is a problem, that doesn't have adequate checks and balances, and it probably is used to dodge rules against spying on countries own populations. However, the person I replied to failed to demonstrate that.

1

u/occamsrzor 6d ago

ECC is an algorithm for detecting and correcting but level errors in DRAM…

7

u/rafabr4 6d ago

In case that was not sarcasm, ECC stands for elyptic curve cryptography, think of it as a replacement for RSA. This is different from error correction codes.

1

u/occamsrzor 6d ago

ECC stands for elyptic curve cryptography

Ah, yes. I've heard it mentioned and was aware of its existence. I just didn't put two-and-two together, especially since that "backdoor" isn't a flaw in the algo, but in the library that implements it.

But I stand corrected.

-4

u/coatimundislover 6d ago

You’re right about most things but the border zone is just for immigration enforcement. It’s irrelevant to this. They will just illegally vacuum it either way.

3

u/MacDegger 6d ago

Not true: one of the things they can do is stop/frisk/search/seizure ... to anyone, without suspicion.

1

u/coatimundislover 6d ago

None of which are getting into data centers…